FC2 unpatched, critical vulnerabilities?

[Lorenzo Musizza]

Hi all,
one of my friends just had his FC2 based simple mailserver (with no
3rd party software and only smtp/pop/imap services running) hacked.
He told me that he noticed something strange seeing an unknown ip
address in the "Last login from" when logged in as root. Then he
changed the root password and waited: the same ip showed up in the
secure log as a failed login attempt but after only 5 seconds the logs
said ssh root login was successful.
My friend admitted he never patched the server with updates, and I
know allowing root ssh login is not recommended, but still I am a
little surprised.
Which are the most important vulnerabilities than can lead to a root
remote login on a plain FC2 box?
Thanks in advance,

Luciano